Re: [PHP] safe mode bug ?

To: debian-isp@lists.debian.org
Subject: Re: [PHP] safe mode bug ?
From: Franz Georg Köhler <lists@openunix.de>
Date: Sun, 6 Jun 2004 14:47:23 +0200
Message-id: <[🔎] 20040606124723.GA17902@bofh.hanau.net>
In-reply-to: <[🔎] 40C30FBD.4030300@hensel.nl>
References: <[🔎] 40C30FBD.4030300@hensel.nl>

On So, Jun 06, 2004 at 02:36:13 +0200, Robert Hensel <robert@hensel.nl> wrote:
> Hi,
> 
> I came upon a strange problem when trying to list directory's in safe 
> mode as a normal user. Of course I expected this not to work, because 
> safe_mode disables the possibility of reading files that not belong to 
> the owner of the PHP-file. However, it does not seem to check for 
> directory ownerships. (debian stable, PHP4.1.2). PHP does give a warning 
> about safe_mode (as seen below) but then nicely lists the directory :(
> This means any user can just browse through any dir. on my system. PHP 
> obviously still obeys UNIX file permissions so i could tighten up those, 
> and enable basedir restrictions and stuff, but it looks to me that this 
> is just a (major) bug ?

Hello,


it is widely known that safe_mode is not really safe.

You might want to restrict access with open_basedir .


The most secure solution is still to install php's cgi executable in an
suexec environment.

Reply to:

Follow-Ups:
- Re: [PHP] safe mode bug ?
  - From: Andreas John <aj@net-lab.net>
- Re: [PHP] safe mode bug ?
  - From: Robert Hensel <robert@hensel.nl>

References:
- [PHP] safe mode bug ?
  - From: Robert Hensel <robert@hensel.nl>

Prev by Date: [PHP] safe mode bug ?
Next by Date: Re: [PHP] safe mode bug ?
Previous by thread: [PHP] safe mode bug ?
Next by thread: Re: [PHP] safe mode bug ?
Index(es):
- Date
- Thread